Menu
AWS Identity and Access Management
User Guide

Understanding Access Level Summaries Within Policy Summaries

Policy summaries include an access level summary that describes the actions defined for each service that is mentioned in the policy. To learn about policy summaries, see Understanding Policy Summaries in the AWS Management Console.

The following example describes the access provided by a policy for five services. For examples of full JSON policy documents and their related summaries, see Examples of Policy Summaries.

Service Access level This policy provides:
IAM Full access Access to all actions with List, Read, Write, and Permissions management access level classifications within the IAM service
CloudWatch Full: List Access to all CloudWatch actions in the List access level, but no access to actions with the Read, Write, or Permissions management access level classification
Data Pipeline Limited: List, Read Access to at least one but not all AWS Data Pipeline actions in the List and Read access level, but not the Write or Permissions management actions
EC2 Full: List, Read Limited: Write Access to all Amazon EC2 List and Read actions and access to at least one but not all Amazon EC2 Write actions, but no access to actions with the Permissions management access level classification
S3 Full: List, Read Limited: Write, Permissions management Access to all Amazon S3 List and Read actions and access to at least one but not all Amazon S3 Write and Permissions management actions

As previously mentioned, within the access level element of the policy summary, Full access indicates that the policy provides access to all the actions within the service. Policies that provide access to some but not all actions within a service are further grouped according to the access level classification. This is indicated by one or both of the following access-level groupings:

  • Full: The policy provides access to all actions within the specified access level classification.

  • Limited: The policy provides access to one or more but not all actions within the specified access level classification.

Access level summaries that include such partial access to actions are grouped using the following access level classifications:

  • List: Permission to list resources within the service to determine whether an object exists. Actions with this level of access can list objects but cannot see the contents of a resource. For example, the Amazon S3 action ListBucket has the List access level.

  • Read: Permission to read but not edit the contents and attributes of resources in the service. For example, the Amazon S3 actions GetObject and GetBucketLocation have the Read access level.

  • Write: Permission to create, delete, or modify resources in the service. For example, the Amazon S3 actions CreateBucket, DeleteBucket and PutObject have the Write access level.

  • Permissions management: Permission to grant or modify resource permissions in the service. For example, most IAM and AWS Organizations actions, as well as actions like the Amazon S3 actions PutBucketPolicy and DeleteBucketPolicy have the Permissions management access level.

    Tip

    To improve the security of your AWS account, restrict or regularly monitor policies that have the Permissions management access level classification.